Hello all, Recently I was asked to start using Puppet as part of our Eucalyptus powered internal cloud. I have been able to set up Puppet and a puppet master on various instances, but what I am running into, is that several of the instances have the same hostname or no hostname when they are first launched, so of course when they try to get a cert from puppetmaster I get an error saying that I can''t overwrite the existing certificate with the new one. My question is: If I have one instance launched in a cloud with a hostname of debian.example.org and then that instance is terminated, and then I bring up an identical instance but this one has a new ip address, how can I get a cert for this new instance? Obviously I can do a clean on the puppetmaster, but I need to automate this process somehow, as this could happen constantly with our customers launching new instances or identical instances. Any thoughts? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hi, You could clean the certificate on the puppetmaster CA using puppetca --clean debian.example.org prior to connecting the rebuilt server again. If you have a short lifecycle and rapid turnover of the same hostname, you may benefit from using the certname configuration variable and using some other fact besides the fqdn for the certificate common name field. Large sites with high turnover often set the cert CN to a uuid or something similar. -- Jeff McCune On Wed, May 5, 2010 at 11:51 AM, Murteas <murteas@gmail.com> wrote:> Hello all, > > Recently I was asked to start using Puppet as part of our Eucalyptus > powered internal cloud. I have been able to set up Puppet and a > puppet master on various instances, but what I am running into, is > that several of the instances have the same hostname or no hostname > when they are first launched, so of course when they try to get a cert > from puppetmaster I get an error saying that I can''t overwrite the > existing certificate with the new one. > > My question is: > > If I have one instance launched in a cloud with a hostname of > debian.example.org and then that instance is terminated, and then I > bring up an identical instance but this one has a new ip address, how > can I get a cert for this new instance? Obviously I can do a clean > on the puppetmaster, but I need to automate this process somehow, as > this could happen constantly with our customers launching new > instances or identical instances. > > Any thoughts? > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Sounds like using the certname configuration variable is what I need, I expect to have users terminating and launching new instances all the time, with or without notice, so something that doesn''t require my attention at each launch is critical. I''ll search for how to customize the cert CN, but if you have a suggestion on where to look, that would be appreciated as well. Thank you for the help!!! On May 5, 10:31 am, Jeff McCune <mccune.j...@gmail.com> wrote:> Hi, > > You could clean the certificate on the puppetmaster CA using puppetca > --clean debian.example.org prior to connecting the rebuilt server > again. > > If you have a short lifecycle and rapid turnover of the same hostname, > you may benefit from using the certname configuration variable and > using some other fact besides the fqdn for the certificate common name > field. Large sites with high turnover often set the cert CN to a uuid > or something similar. > > -- > Jeff McCune > > > > On Wed, May 5, 2010 at 11:51 AM, Murteas <murt...@gmail.com> wrote: > > Hello all, > > > Recently I was asked to start using Puppet as part of our Eucalyptus > > powered internal cloud. I have been able to set up Puppet and a > > puppet master on various instances, but what I am running into, is > > that several of the instances have the same hostname or no hostname > > when they are first launched, so of course when they try to get a cert > > from puppetmaster I get an error saying that I can''t overwrite the > > existing certificate with the new one. > > > My question is: > > > If I have one instance launched in a cloud with a hostname of > > debian.example.org and then that instance is terminated, and then I > > bring up an identical instance but this one has a new ip address, how > > can I get a cert for this new instance? Obviously I can do a clean > > on the puppetmaster, but I need to automate this process somehow, as > > this could happen constantly with our customers launching new > > instances or identical instances. > > > Any thoughts? > > > -- > > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > > For more options, visit this group athttp://groups.google.com/group/puppet-users?hl=en. > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group athttp://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.